[00:00.000 --> 00:06.180]  2020 trying to kill this pandemic really hit. I went ahead and scanned the internet and took the
[00:06.180 --> 00:13.760]  top 10 countries with assets that say hello to the internet. And that's in the yellowish.
[00:13.900 --> 00:22.000]  I'm not sure how much you can see because of the big Defcon logo. And in the orangish bar,
[00:22.000 --> 00:29.080]  those are remote-only access protocols that I was looking for, and also certain versions,
[00:29.080 --> 00:38.580]  older versions of SSH, FTP, remote desktop protocol, etc. So what I found was, for instance,
[00:38.580 --> 00:47.660]  the United States has 47,500,000 assets. Out of those assets, when I was looking only for
[00:47.660 --> 00:55.900]  known exploitable remote access vulnerabilities, there were almost 12.5 million ones that I could
[00:55.900 --> 01:02.180]  find for the United States, which is not a great ratio. However, I will say that some of the assets
[01:02.180 --> 01:09.660]  that I scanned, they can have multiple vulnerabilities. Looking at between the U.S. and China,
[01:09.660 --> 01:15.060]  China has almost eight and a half million, but almost, assets on the internet that say hello,
[01:15.060 --> 01:21.900]  but almost five million of those are remotable with no exploits and vulnerabilities in them.
[01:22.640 --> 01:30.280]  The one country that did fairly well was actually the United Kingdom, with their ratio between
[01:30.280 --> 01:36.960]  assets and exploitable vulnerabilities, and one of the reasons for that was several years ago,
[01:36.960 --> 01:43.700]  they did something very fantastic. They instituted this thing,
[01:45.240 --> 01:50.340]  a cyber program for anyone doing business with the UK, and also critical infrastructure,
[01:50.340 --> 01:58.500]  had to really take a look at their stuff and go ahead and pass an audit, in most cases,
[01:58.560 --> 02:03.380]  a self-audit, depending on your level of access with the government and also critical infrastructure,
[02:03.380 --> 02:09.760]  and they were able to get a head start, and so they actually are doing fairly well in comparison
[02:09.760 --> 02:17.120]  to the rest of the top tenors. So another thing that we have to consider is because
[02:17.120 --> 02:24.700]  things are now industrial IoT devices, or IoT devices, this means that you can have a control
[02:24.700 --> 02:32.960]  system that is IoT enabled. Now, in this case, I like to take a look at Tesla stuff, because
[02:32.960 --> 02:42.760]  I just do. And you can actually use census.io, what I call census.org, to find various Tesla
[02:42.760 --> 02:49.960]  power walls. And what's interesting about this is, even though Tesla has some security,
[02:49.960 --> 02:56.020]  it's still single-factor authentication, there's still a web interface, the customer doesn't
[02:56.020 --> 03:02.380]  necessarily have to set up any real security, so there's admin-admin kind of stuff, depending on
[03:02.380 --> 03:12.500]  the version of the software. Tesla does not force down updates like Windows 10, or their cars,
[03:12.760 --> 03:19.440]  so there are a lot of old versions. And what you can actually pull back is the configuration of
[03:19.440 --> 03:25.220]  the power walls, the versions, timestamps, showing the last login, how long it's been up,
[03:25.220 --> 03:31.820]  if it's updating or not, and a bevy of other diagnostic information. And what's unfortunate
[03:31.820 --> 03:41.440]  is, if you're able to get into some of these systems, which you can, you can do more nefarious
[03:41.440 --> 03:48.160]  things. Like, imagine a region of power walls that suddenly all of their electricity got dumped
[03:48.160 --> 03:56.060]  on the energy grid. That would be a very bad thing. Or if it was connected to some sort of crucial
[03:56.720 --> 04:02.440]  hardware, that would be a bad thing. And in this particular case, this one
[04:02.440 --> 04:09.260]  was connected to a crane. Who doesn't want to own their own crane? Well, you can too.
[04:09.820 --> 04:17.020]  So, you have to understand that if it's running a web server, I don't care if it's, I don't know,
[04:17.020 --> 04:22.720]  power bank, or a piece of industrial equipment, or whatever, you can hack it like a web server.
[04:22.720 --> 04:32.720]  Remember that. So, I do a lot in aviation. Sometimes that's good, sometimes they hate me.
[04:33.740 --> 04:41.500]  So, either way, you know. So, there are various ways to get into various things, and one of the
[04:41.500 --> 04:48.920]  dangers that we have is a lot of remote desktop protocol. You can actually buy exploited systems
[04:48.920 --> 04:59.160]  on the scary dark web from a dollar to ten dollars a piece. If they have RDP, ten dollars is for
[04:59.160 --> 05:05.600]  typically US military assets that are found. In this case, this one belongs to Airbus,
[05:05.600 --> 05:12.880]  where luckily the admin happens to be logged in. I wonder what the password might be.
[05:13.100 --> 05:19.940]  The CN is actually the certificate, which I could match up to absolutely belonging to Airbus.
[05:20.240 --> 05:27.200]  Another fun fact is depending on the aircraft, some Airbus aircraft actually use Windows CE
[05:27.700 --> 05:36.540]  in their aircraft. Yay! So, I'm not sure you may or may not have heard much about Boeing,
[05:36.540 --> 05:41.480]  other than some of their planes like to fall from the sky because they have software issues.
[05:41.700 --> 05:46.940]  And starting last year, one of the things I did, and by the way, hi, Boeing, I know you still want
[05:46.940 --> 05:53.400]  to put me in jail, was that I took a look around some of their infrastructure and found that it was
[05:53.400 --> 06:01.460]  incredibly bad. For instance, at the time, Boeing.com and its websites didn't even use
[06:01.460 --> 06:08.000]  HTTPS or any encryption for their websites. And this included login systems. Yay!
[06:08.660 --> 06:14.660]  I was able to get into the R&D section of their flight control software, which also included the
[06:14.660 --> 06:23.220]  737 MAX aircraft, because to authenticate, I was using Firefox with no script running,
[06:23.220 --> 06:29.360]  and the website had a message, you are not running scripts. Please press this button.
[06:29.360 --> 06:37.300]  Press the button. I was in. How awesome is that? There were six cross-site scripting vulnerabilities
[06:37.300 --> 06:44.700]  in the live in production flight control aviation ID system. Woo-hoo! Right?
[06:44.740 --> 06:48.960]  And the interesting thing about this is, if you can get into the flight control system
[06:48.960 --> 06:57.100]  or software, and you know what you are doing, the process is, the technician will download
[06:57.100 --> 07:01.540]  what's needed for their aircraft, put it on a maintenance laptop, that maintenance laptop
[07:01.540 --> 07:07.900]  plugs into the aircraft itself, into the flight control system. So imagine some of the mayhem
[07:07.900 --> 07:18.000]  that you could do, because Boeing had zero effort and zero knowledge in security. Funny enough,
[07:18.000 --> 07:26.540]  they do sell cyber security services as consultants to the U.S. government. However,
[07:26.540 --> 07:30.340]  I guess they never ate their own dog food and looked at their own stuff.
[07:30.340 --> 07:36.920]  There were even hard-coded credentials in an older version of SAML that you could easily decode.
[07:36.920 --> 07:47.020]  The response from Boeing was, you're a criminal, harassment, no bug bounty. And it was only after
[07:48.080 --> 07:53.140]  my 59-page report went through and it got media attention after a disclosure period
[07:53.140 --> 07:58.420]  that they were forced to start their first vulnerability disclosure program,
[07:59.600 --> 08:05.240]  which they said it was based on my report. However, as far as I'm aware, Boeing still gives
[08:05.240 --> 08:14.360]  zero bug bounty awards. So agriculture is nice, because I think all of us like to eat.
[08:14.360 --> 08:21.080]  And this is an instance where it's a control system that is now an industrial IoT system
[08:21.080 --> 08:26.440]  that is hanging on the internet, that has a web server that has never been security tested,
[08:26.440 --> 08:36.520]  with no authentication. And it happens to be a European fish farm, a salmon farm to be exact.
[08:36.520 --> 08:43.760]  And you can actually, in real life, press the buttons and you can modify the operations of this.
[08:44.940 --> 08:53.020]  So we like water. Mexichem is actually a major bottled water provider,
[08:53.020 --> 09:00.460]  manufacturer, amongst other things, in Latin America, in South Africa. They do a lot of stuff.
[09:00.560 --> 09:10.020]  So I was looking around, because I get curious and bored, and I was very quickly able to find,
[09:10.020 --> 09:19.100]  because they allowed LDAP to be exposed to the internet, I found 24 pages of assets
[09:19.660 --> 09:26.040]  from the IT side on the business level, all the way down to on the control level for their
[09:26.040 --> 09:34.920]  Windows-based SCADA systems. And this was rather unfortunate, because some of the systems that I
[09:34.920 --> 09:42.900]  was able to find was this wonderful, what's called HMI, Human Machine Interface, the same exact
[09:42.900 --> 09:49.100]  version that was vulnerable to some of the black energy attacks. And you didn't actually have to
[09:49.100 --> 09:55.900]  log in, because it was never set up correctly. I could access the drives that it was attached to,
[09:55.900 --> 10:05.200]  I could import and delete recipes, which is actually the production recipe of what the
[10:05.200 --> 10:13.360]  machinery will be doing, and I could just click as many buttons as I wanted to. I could even export
[10:13.360 --> 10:22.060]  the administration data, all at the touch of my fingertips, from my comfortable, small Amsterdam
[10:22.060 --> 10:29.420]  house. And MexiChem also produces various different types of chemicals, some of which are
[10:29.420 --> 10:36.420]  more controlled, so that they don't fall in the hands of really bad people who want to make things
[10:36.420 --> 10:48.300]  go boom. So another thing to consider is, we're talking about IoT systems, they can be anywhere.
[10:48.760 --> 10:53.380]  They could be inside a hospital, they could be on sensitive networks, they could be
[10:54.000 --> 11:04.340]  at nuclear physics labs in Russia, and they could also be inside control systems, so that you can
[11:04.340 --> 11:13.940]  actually, you know, use a printer. And so I was able to have a bit of fun, again, being bored,
[11:13.940 --> 11:22.060]  don't ever let me get bored, and use census and a few other scanning tools to quickly find as many
[11:22.060 --> 11:28.620]  particular printers as possible. It stemmed from the fact I was having a problem with my printer,
[11:28.620 --> 11:35.500]  and I downloaded the Brother admin tool, which covers almost all of their models, and I noticed
[11:35.500 --> 11:42.360]  that it had never been security tested. So I went ahead and flipped it around and turned it into a
[11:43.960 --> 11:54.460]  weaponized piece of admin tool. And a lot of these printers will have web interfaces. So I had a lot
[11:54.460 --> 12:01.300]  of fun with cross-site scripting, but most of my fun came from using the admin tool. See, once you
[12:01.300 --> 12:08.160]  find one of these printers, it's not that difficult to find, you can use the free Brother admin tool,
[12:08.160 --> 12:14.480]  go ahead and put in the IP address, and then connect to somebody else's printer anywhere in
[12:14.480 --> 12:21.660]  the world. You can see how much ink they have, you can even order, if it's set up in their printer,
[12:22.400 --> 12:27.280]  ink and toner supplies, because, hey, toner's worth more than platinum.
[12:28.160 --> 12:36.760]  And you can also send files directly to the printer. So I had a lot of fun with this,
[12:37.860 --> 12:44.220]  but unfortunately, Brother, like most printer manufacturers, do not have a vulnerability
[12:44.220 --> 12:51.340]  disclosure program, nor did they ever think that you could use this lovely free tool available now
[12:51.340 --> 12:59.600]  to download, and you can weaponize it and really make printers' lives uncomfortable. Bonus item,
[12:59.600 --> 13:04.940]  if it's a multifunctional printer that's more of the commercial variety that has a hard drive
[13:04.940 --> 13:10.620]  installed, and, say, Human Resources uses it as a scanner for different types of identification
[13:10.620 --> 13:16.700]  systems, you can even access the hard drive where it saves those scans and get all sorts of
[13:16.700 --> 13:24.600]  personally identifiable information and health data just by using this tool. So I like space,
[13:25.260 --> 13:33.640]  and one of the things that is a bit problematic is, just like regular industrial systems,
[13:33.640 --> 13:38.640]  once you put something in space, it's expected to last a while. There's even a space satellite
[13:38.640 --> 13:47.440]  that is in a very interesting orbit that is up there for over 50 years. There's a lot of legacy
[13:47.440 --> 13:52.880]  stuff. Once you put something up there, it's not like you can go, hey, guess what? We've got this
[13:52.880 --> 13:57.780]  new type of encryption. You know what? It needs a chip to be able to process it. We're just going
[13:57.780 --> 14:05.860]  to replace that chip in the satellite. That doesn't happen. And what we did last year was,
[14:05.860 --> 14:11.420]  in the United Kingdom, thanks to Oxford who funded it and De Montfort University,
[14:11.860 --> 14:17.780]  we held the first space hackathon at Royal Holloway University to discuss these things
[14:17.780 --> 14:23.180]  with cleared PhD students who were given a lot of information by myself and others
[14:23.180 --> 14:29.460]  on some of the problems with current and new space assets, because they're really industrial
[14:29.460 --> 14:37.120]  IoT devices, and how to combat some of those problems, because encryption might not be there.
[14:37.120 --> 14:42.340]  I believe it was only the year before last that the FTC mandated that new space asset
[14:42.340 --> 14:47.340]  actually had to have the ability to use encryption. And we've seen some satellite
[14:47.340 --> 14:55.560]  systems being used in various cyber crime attacks and malware, because if you can put one of your
[14:55.560 --> 15:00.860]  hops and traceability on a satellite, it kind of makes it a bit hard to see who's actually behind
[15:00.860 --> 15:06.480]  different things. So a lot of cool stuff came out of this hackathon. PhD students were absolutely
[15:06.480 --> 15:13.380]  fantastic and energetic. They listed a lot of very pertinent risks that we had to consider,
[15:13.380 --> 15:21.440]  such as the current UN space treaties do not cover private companies when it comes to warfare.
[15:21.760 --> 15:28.200]  It only covers nation states. And the fact that some major players in the market,
[15:28.960 --> 15:36.000]  if you want to watch a great older movie, I believe it's called Moonraker, it's a James Bond
[15:36.000 --> 15:43.920]  movie, where a really rich guy with way too much money decides to go into space and then try to
[15:43.920 --> 15:53.220]  take over the world by going to war in space as a private company. And so some of the risks listed
[15:53.220 --> 16:01.360]  were, for example, Elon Musk and his program, because anyone can turn evil, and he already
[16:01.360 --> 16:09.940]  thinks that the pyramids were created by aliens. So to give a brief example, you can actually find
[16:09.940 --> 16:16.920]  some of these systems. Now, there's different ways that you can find various space IoT systems.
[16:16.920 --> 16:21.680]  A lot of them you'll find are actually land systems, so then communicate up, but those land
[16:21.680 --> 16:28.660]  systems, they can actually unfortunately be hacked. In this particular case, I was able to find a
[16:28.660 --> 16:36.580]  relay connection up to a satellite, and I didn't want to give away too much information because
[16:36.580 --> 16:42.160]  they have not gotten back to me. I was able to find this particular device was running my favorite
[16:42.160 --> 16:47.980]  protocol Modbus with no authentication. It could give the device ID, function codes, and all sorts
[16:47.980 --> 16:54.700]  of information about it. And by looking into various user manuals that are freely available,
[16:54.700 --> 16:59.780]  I was able to find that it was called a sunny string monitor that was attached to the satellite.
[16:59.920 --> 17:07.860]  And what it does is it looks for sun and goes ahead and opens a solar array on a satellite
[17:07.860 --> 17:14.500]  system to give a power or closes it down when there's nothing available, or can move it around
[17:14.680 --> 17:23.100]  a little bit. So imagine what you could do with that. So why is this kind of important? Last month,
[17:23.100 --> 17:28.080]  the United Nations Institute for Disarmament Research asked me to give a presentation,
[17:28.160 --> 17:33.600]  a closed dialogue session, to permanent member states with other member states as observers.
[17:33.740 --> 17:41.920]  And I brought up the fact that we need to be a lot more proactive. And although the United
[17:41.920 --> 17:49.900]  Nations in 2015 established that member states are responsible for securing their ICT cyberspace,
[17:49.900 --> 17:57.120]  that also includes space assets, that also includes industrial systems, etc., they agreed
[17:57.120 --> 18:02.460]  to establish a computer emergency response team. And that's well and good. It's fantastic. It's
[18:02.460 --> 18:09.100]  much needed. But that also is very, very reactive and constantly you're putting out fires. So it's
[18:09.100 --> 18:15.180]  very difficult for you to be proactive. So I brought up with them that I'm currently working
[18:15.180 --> 18:21.200]  with part of the European Union to actually establish their first proactive computer
[18:21.200 --> 18:30.920]  emergency protection team, a CEPT. And CERT step one, CEPT step two, to try to alleviate some of
[18:30.920 --> 18:36.500]  the burden and also try to catch things as quickly as possible before they become major incidents.
[18:36.880 --> 18:43.020]  Now, back in 2009, this is also another reason why it's kind of important is I detected a cyber
[18:43.020 --> 18:49.500]  warfare attack, the second wave of such attacks caused by malware that the North Koreans created.
[18:49.500 --> 18:54.080]  One of the things they did was they leveraged higher speed bandwidth in Northern Europe
[18:55.140 --> 19:02.840]  to go ahead and have those various devices aim at the South Korean infrastructure and
[19:02.840 --> 19:07.160]  also part of the infrastructure of the United States. So they attacked the South Korean version
[19:07.160 --> 19:12.420]  of the White House and also the U.S. version of the White House. They tried to affect the New
[19:12.420 --> 19:21.680]  York Stock Exchange and a lot of other very important places. And because we were also monitoring
[19:21.680 --> 19:28.820]  in my shop ICS systems that had internet connectivity, we found that some of the
[19:28.820 --> 19:36.620]  Windows-based stuff actually was also affected and was trying to take down part of South Korea
[19:36.620 --> 19:43.280]  and the U.S. So you can actually, unfortunately, weaponize with various types of malware,
[19:43.280 --> 19:51.520]  IT, IoT, and ICS as we keep seeing. But even in 2009, 11 years ago, we were seeing this type
[19:51.520 --> 19:57.120]  of stuff. So we need to take it much more seriously with the vendors as well as the
[19:57.120 --> 20:03.400]  critical infrastructure operators and get the tech community involved because academia is great,
[20:03.400 --> 20:09.020]  government experts are fantastic, but it's us and you watching this that have that
[20:09.020 --> 20:17.260]  hacker mentality and can actually express it and find ways in and out that others can't.
[20:17.580 --> 20:25.000]  So with that, I will be available on Discord for questions. Hopefully I get the right Discord
[20:25.000 --> 20:32.040]  channel. I wanted to give a huge shout out to Omar at Santo Omar and the Red Team Village for
[20:32.040 --> 20:37.380]  inviting me. If you also would like to contact me about things that are going on in the Middle
[20:37.380 --> 20:44.380]  East, I believe my contact information is now on the Middle East Institute's website. And feel free
[20:44.380 --> 20:51.480]  to contact me on Twitter and I take DMs, just no weird pictures, no weird sexy type pictures. Let
[20:51.480 --> 20:57.240]  me stress that. I love pictures of cats. So thank you very, very much, Red Team Village. It is
[20:57.240 --> 21:03.220]  greatly appreciated. Thank you so much for supporting us and for the great presentation.
[21:03.220 --> 21:07.900]  You are getting a lot of kudos in Discord. So talking about Discord, if you're joining us,
[21:07.900 --> 21:11.800]  you know, you can see the link in the bottom of the screen. There's a link to a website
[21:12.520 --> 21:18.780]  where, you know, has a lot of other information about the speakers, along with, you know, all
[21:18.780 --> 21:23.120]  the activities that are happening in, of course, in DEF CON. So with that said, we're going to go
[21:23.120 --> 21:29.260]  on a break for a few minutes, and then the next presentation will be up in probably about 15 to 20
[21:29.260 --> 21:35.020]  minutes. So thank you again, Chris. Great presentation. Have a nice one. All right, cheers.
